Security groups in SharePoint - managing access dynamically

Tweet

 

SharePoint is becoming ever more popular, especially with the upcoming release of SharePoint 2010.  SharePoint is an excellent tool for communication but we're getting more and more questions about how to use Active Directory's group structure to manage access.  Large enterprises with thousands of users need a simpler way to manage SharePoint access.

Some tips that we find useful both internally and from discussions with our customers are:

1. Grant SharePoint access via groups rather than users.
2. Use AD groups rather than SharePoint groups to increase flexibility and ease of management.
3. Dynamically manage as many of the groups as possible; use a tool to write queries that keep membership accurate (not QBDL obviously).
4. Name the Active Directory groups with descriptive names and always fill in the description for users to know what the group is for.
5. Allow SharePoint resource owners to manage the membership in their own groups through self-service.
6. Allow self-service for users to join and leave groups.  It is important though that if you open up web-based group management, you must ensure that you have security controls in place.
   1. have workflow set up if you want to allow for group subscription; this allows the group owner to approve or deny a request to join the security group.
7. Mail enable the AD groups to allow for easier communication about that SharePoint resource.

One factor that is becoming more prevalent is auditing access to SharePoint resources.  As more and more business critical information is posted to SharePoint, a strong Active Directory auditing solution will help monitor group membership and ensure that only the correct users have access to these resources.

Managing groups is always easier than managing users if you have the appropriate tools and processes in place to ensure they are accurate.